Impact of legislation covering copyright and intellectual property rights for an IT organisation

The main piece of legislation governing copyright and intellectual property rights is the Copyright, Designs and Patents Act (1988). The Act was introduced to protect the investment of time, money and effort by the people who create original pieces of work, and has two main purposes:

  • To ensure people are rewarded for their endeavours
  • To give protection to the copyright holder if someone tries to copy or steal their work

An IT organisation would be very interested in this Act, as it protects any e.g. software they produce and distribute. Alongside original software, copyrights are given out for:

  • Original literary, dramatic, musical and artistic work, including illustration and photography
  • Original non-literary written work, such as software, web content and databases
  • Sound and music recordings
  • Film and television recordings
  • Broadcasts
  • The layout of published editions of written, dramatic and musical works

Some pieces of original work can also be able to apply for a patent. This is usually much harder than just obtaining a copyright, as the work must be:

  • Something that can be made or used
  • New
  • Inventive – not just a simple modification to something that already exists

People can still use copyrighted material, so long as it is (for):

  • non-commercial research and private study
  • criticism and review (subject to a test of fair dealing)

  • news (excluding photos)
  • court hearings
  • material to help visually impaired people
  • teaching in educational establishments.

Businesses can be hit by this Act both ways. On the one hand, they really want anything they produce to be their property, which no one else can use. On the other, it means that they have to be really careful when using other people’s material. For example, any images used must be ones which aren’t copyrighted. Another example is the use of songs in e.g. adverts – companies must ensure that they have acquired  a licence to use the artist’s intellectual property for commercial gain. If not, the company could face legal issues and hefty fines.

Within my workplace

My workplace produces a lot of material, such as research papers, so we take steps to ensure that this isn’t used by other people for commercial gain. The use of this material for e.g. educational purposes is permitted, however, and is in fact encouraged by my organisation.

Another aspect we have to aware of is our branding. Branding is important for any company, as it is a major way they are viewed by the public. We try to ensure that our design branding, e.g. our logo, is not used by anyone else, so that it remains specific to us.

Impact of legislation covering privacy, confidentiality and security for an IT organisation

There are lots of different pieces of legislation covering privacy, confidentiality and security. One of the big ones is the Data Protection Act, which governs how companies should handle sensitive customer / employee data. Companies must ensure that all information collected is necessary, well secured, relevant, up to date and available for viewing by the subject (upon request). This ensures that no information is kept which is unnecessary, thus protecting the subjects but also protecting the holders of the information from any legal action.

It is important for every company to ensure that ALL personal information stored about ANYONE is kept securely, and is held on an ethical basis. No data should be stored without someone’s consent. Ensuring this happens can naturally create a lot of overhead for a company.

The Employment Practices Code

This code governs the information to be gathered / stored when employing a new person, and should also apply to existing employees. It is designed to:

  • Increase trust in the workplace.
  • Encourage good housekeeping.
  • Protect organisations from legal action.
  • Encourage workers to treat customers’ personal data with respect.
  • Help organisations to meet other legal requirements.
  • Assist global businesses to adopt policies and practices which are consistent with similar legislation in other countries.
  • Help to prevent the illicit use of information by workers.

The code covers personal information (data which can identify an individual), processing information (collected during the process of processing an individual) and sensitive data, which is any data in regards to:

  • Racial or ethnic origin.
  • Political opinions.
  • Religious beliefs or other beliefs of a similar nature.
  • Trade union membership (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992)
  • Physical or mental health or condition.
  • Sexual life.
  • Commission or alleged commission of any offence.
  • Proceedings for any offence committed or alleged to have been committed, the disposal of such proceedings or the sentence of any court in such proceedings.

In my workplace

My workplace (The Health Foundation) is very diligent when ensuring sensitive data is kept secure. We hold a lot of sensitive patient data, and we have a special area of the company which holds and processes it. This area is on a completely different network to the rest of the organisation, with the desks/PCs in a sealed of section of the office. This is done to minimise the risk of data breaches from malicious attacks.

The HR team also holds a lot of sensitive information, such as bank details and personal information, as they are the ones who handle the payroll and employment of new people. They have their own shared section on the network which no one else can access, as they are the only ones who should have access to that data. Anyone who wishes to see information stored about them simply has to ask, as is in accordance with the Data Protection Act.

Impact of legislation covering health and safety for an IT organisation

There are lots of laws surrounding health and safety in the workplace, the aim of all of them being to ensure employees have adequate safety in the workplace. This is to prevent injuries or other work-related issues.

Health and Safety at Work etc Act 1974

The Health and Safety at Work etc Act 1974  (also referred to as the HASAW, or the HSW Act) is the primary piece of legislation covering occupational health and safety in Great Britain. The Health and Safety Executive, with local authorities (and other enforcing authorities) is responsible for enforcing the Act and a number of other Acts and Statutory Instruments relevant to the working environment.

The HSW Act places a duty on all employers “to ensure, so far as is reasonably practicable, the health, safety and welfare at work” of all their employees. Among other things, the Act requires:

  • safe operation and maintenance of the working environment, plant and systems
  • maintenance of safe access and egress to the workplace
  • safe use, handling and storage of dangerous substances
  • adequate training of staff to ensure health and safety
  • adequate welfare provisions for staff at work.

In my workplace

In my workplace there are lots of things in place to ensure our safety. One of these is a weekly office check by the Facilities team to ensure that there are no dangerous obstructions in the workplace, so that we can traverse without risk.

When someone first joins the organisation, they are given a desk orientation session. This is done to make sure that the employee is seated comfortably at their desk, and won’t suffer from any work-related stress injuries that might arise from sitting at a desk for long hours of the day.

The Act’s requirements for adequate welfare provisions at work mean that we have lots of water fountains placed around the office for easy access. We are also provided with a coffee machine, and the means to make coffee/tea/anything in the kitchen. We are also provided with some free fruit. This is a very good benefit to the HSW Act!

Impact of legislation covering financial transactions for IT organisations

Legislation covering financial transactions has been put in place in an effort to tackle money laundering. The regulations help keep track of money flow and customer identity.

Customer due diligence 
Part of these regulations are carrying out ‘customer due diligence’ checks. Businesses are required to gather certain information about a customer, namely:

  • Name
  • Photograph on an official document which confirms their identity
  • Residential address or date of birth

This ‘customer due diligence’ check should be carried out under the following circumstances:

  • when you establish a business relationship
  • when you carry out an ‘occasional transaction’ worth €15,000 or more
  • when you suspect money laundering or terrorist financing
  • when you have doubts about a customer’s identification information that you obtained previously
  • when it’s necessary for existing customers – for example if their circumstances change

Monitoring 
It is important to have tools in place to monitor your organisation to spot any potential threats / signs of money laundering. This can have the following impact on the organisation:

  • have to appoint a ‘nominated officer’ and make sure that employees know to report any suspicious activity to them
  • have to identify the responsibilities of senior managers and provide them with regular information on money laundering risks
  • have to train relevant employees on their anti-money laundering responsibilities
  • have to document your anti-money laundering policies and procedures
  • have to introduce measures to make sure that the risk of money laundering is taken into account in the day-to-day running of the business

Policy statement
Organisations are required to produce a policy statement, which is a document that includes your anti-money laundering policy and the procedures your business will take to prevent money laundering. The document provides a framework for how your business will deal with the threat of money laundering. This document is likely to include:

  • details of your approach to preventing money laundering, including named individuals and their responsibilities
  • details of your procedures for identifying and verifying customers, and your customer due diligence measures and monitoring checks
  • a commitment to training employees so they’re aware of their responsibilities
  • a summary of the monitoring controls that are in place to make sure your policies and procedures are being carried out
  • recognition of the importance of staff promptly reporting any suspicious activity to the nominated officer

Record keeping 
Companies should keep records of all customer due diligence checks they carry out. Keeping comprehensive records allows businesses to show that they have complied with the Money Laundering Regulations. This is crucial to protect the business if there’s an investigation into one of its customers.

You must keep your records for five years beginning from either the date a business relationship ends, or the date a transaction is completed.

In my workplace

My organisation handles a lot of grants (giving money to entities for e.g. research projects). This means we have to keep a detailed log of every transaction, as well as store information on whomever we have these dealings with. To do this, we use a piece of software called Microsoft CRM, which is effectively a large contact database of everyone we’ve distributed grants to or bought services off. This makes it easy to comply with legislation covering financial transactions.

Conflicts of interest for IT professionals

Conflicts of interest arise when a person’s personal interests interfere with their public / professional obligations. For example, there would be a conflict of interest if the person responsible for reviewing construction site safety had shares in the construction company he is reviewing (or any construction company for that matter).

In computing
Most conflicts of interest revolve around money. Human nature means that people will game the system if there is some financial gain. This doesn’t change in computing.

Some examples of conflicts of interest in computing would be using insider company information to buy stock shares, investing in a particular company and then picking their software over others for corporate use, or programming your search engine to promote results from companies you have vested interest in (and hiding the results of competitors).

Conflicts of interest in my role 
In IT you have a lot of influence over the technical side of an organisation. This includes deciding which PCs, software, and other computer hardware to buy. A conflict of interest would immediately arise if you happened to be invested in a particular computing company, as you might pick their products to supply your organisation over others, simply because it would personally benefit you.

Another conflict of interest that could arise is when hiring people. It is important to be completely impartial and unbiased when picking between candidates, but a conflict would arise if you’re dealing with people you know, e.g. family members. Being involved in the hiring process is not a good idea if you know any of the people applying for the job.

 

Standards for System Development

System development standards provide guidelines to follow throughout development. For system development, the standards can be split into naming conventions, directory structures, and annotation standards.

Naming conventions
Setting a standard format for the names of files, procedures, variables, and test files. This makes code easy to work with, and allows for easy searching/sorting of files.

Directory structures
Refers to where source, object, test files, control procedures, screens etc. are to be located. It is important to have good file structure, to make it easy to sort and search for particular files. Files should all be stored in logical sections, e.g. all pictures in the ‘Picture’ folder (perhaps with sub-folders for different types of pictures)

Annotation standards
Setting a standard for how code should be commented/annotated, for example revision history, comments at start of program, procedure comments explaining the code etc. Annotating code allows it to be easily readable, as often the only person it makes sense to is the original coder. Annotations allow other coders, and even non-coders, to pick up some code and understand its function.

Standards in my workplace
Below are some examples of standards in place at my workplace:

Version control – Any operational documents contain a version history. Any changes to the document are logged in that section, including who made the changes, when they were made, and what exactly the changes entail.

Signature – All our work emails are set up with the same signature template, which contains my organisation’s branding, as well as useful contact details.

Asset tagging – All pieces of hardware are tagged following a standard format (at my workplace this is ‘THFxxxx’, with the ‘xxxx’ being a 4-digit number). All the tags look the same, and they are logged in our database which keeps track of which assets are tied to which people.

Quality Management Systems

A QMS can assist you to improve the quality of your product or service, meet and exceed customers’ expectations and improve efficiency to cut the costs of running your business. There are quite a few benefits of implementing a QMS:

  • Ensuring customer satisfaction with a consistent high quality product or service
  • Providing competitive and financial advantage through improved efficiencies and reduced costs
  • Improved company reputation and confidence of stakeholders through strategic communication
  • Increased leadership involvement and employee engagement

QMS in my workplace

My organisation, The Health Foundation, is a charity, and doesn’t actually have much interaction with ‘customers’. We therefore do not need much in the way of external QMS.

One internal method of QMS is peer review. Every document produced, e.g. IT user guides, are checked through by independent sources to make sure there aren’t any errors.

Another method is user testing. Any documents or material which is to be used by employees is first extensively tested on a select few users, to try and pick up on any errors or areas for improvement.

How is data validated?

Any work completed is peer reviewed, allowing multiple different people to confirm the validity of the data. For example, I recently drafted a user guide for my organisation, and my line manager checked through it first to make sure all the information was correct before it went live.

Who checks your work?

My line manager checks to see what work I’ve completed during the week. He does this by looking at our ticketing system, in which you can log the length of time you spent on a particular job. It is also the line manager’s job to help peer review work.

Do you get feedback from your clients?

The Health Foundation doesn’t actually deal with many clients, but those who we do deal with can email us to provide any positive/negative feedback.

 

Data Protection Act(1998) and Computer Misuse Act(1990) relating to IT professionals

How does this legislation affect the job you do?

The Data Protection Act affects the way data is handled at my organisation. It means we have to secure our data adequately from external (and internal) malicious attack. It also means we have to store it in a responsible manner, and only allow access to the right individuals (e.g. only HR should have payroll details).

The Computer Misuse Act means that we have to put many restrictions on users when they use their PCs. For example, normal users are unable to install software and run new executables – only IT admins have the privilege to perform this action for the users. Whenever a new user joins the organisation, we have to get them to sign a policy agreement document in compliance with the Computer Misuse Act.

When do you have to worry about Data Protection

Whenever handling sensitive personal information. Some examples include:

  • ethnic background
  • political opinions
  • religious beliefs
  • health
  • sexual health
  • criminal records

What procedures are in place to help with Data Protection?

Group policy restrictions mean that it is really easy to govern which users get access to which data, from an administrator perspective. We also have a policy of clearing your desk of any clutter, to prevent users from leaving out any sensitive documents e.g. bills. We also have strong anti-virus automatically installed on each freshly imaged PC, doing much to protect the endpoints from malicious attack.

What are the consequences of breaching the act?

Breaching the Act currently carries a fine of up to £500,000. However, the law is changing so that the maximum fine is now €20 million, or 4% of global turnover (whichever is higher).

What implications does the Computer Misuse Act have for the work you do?

One of the implications is that users have to read and sign a long IT policy agreement document when they join the organisation. We also have to implement security restrictions on which applications users can run, what parts of the network they have access to, and what data they have access too.

What are the consequences?

The consequences of breaching the act vary depending on the severity of the breach. The tiers can be seen below:

  • Offence 1 (Unauthorised access to computer material) – Up to six months in prison and/or a hefty fine.
  • Offence 2 (Unauthorised access with intent to commit or facilitate a crime) – Up to a five year prison sentence and /or a hefty fine.
  • Offence 3 (Unauthorised modification of computer material) – Up to a five year prison sentence and /or a hefty fine.
  • Offence 3a (Making, supplying or obtaining material that could be used in computer misuse offences) – Up to a five year prison sentence and /or an unlimited fine.

When do you have to worry about it?

You must worry about the act any time you are working on someone else’s computer device. This could be when you either at the physical PC itself, or when you remote connect to the desktop for remote working.

BCS membership benefits

Joining the Chartered Institute for IT will give you access to a range of great services and tools to support you now and throughout your career, as well as a host of networking opportunities.

Below are some of the main ways being a member of the BCS can be beneficial:

Some further benefits include:

  • Email forwarding, giving you a consistent and professional email address (@bcs.org) for the lifetime of your membership
  • Significant discount on Professional Indemnity Insurance (PII)
  • UK employment dispute services
  • Legal help – online or telephone
  • Framing & plaque service, for your Membership certificate
  • Discounts on a number of training courses, from a number of providers